Vedanvis risk transformation brochure

Achieving Risk Mastery

5 Key Strategies

to an efficient, cost effective and value adding Risk Function

BUSINESS & RISK CONSULTING

2

Contents

Risk Management in the Spotlight ` 3

Risk & Compliance Functions Under Increasing Pressure 4

10 Questions Boards should be asking themselves 5

Risk Mastery -‐ Key Strategies for Risk Transformation 6

1. Realigning to the New Normal 7 2. Reducing Costs 8 3. Enhancing Operational Efficiencies 10 4. Enhancing value added by the Risk Function 11 5. Taming the Regulatory Tsunami – Proactive Compliance 12

What are the Next Steps 13

3

“It takes 20 years to build a reputation and 5 minutes to ruin it and if you understand this you will

do things differently” Warren Buffet

Risk Management in the Spotlight A need for transformation

121

Risk & Regulatory Management in the

Spotlight

Governance, Risk and Compliance (GRC) is a multibillion-‐

dollar industry worldwide and signs are that it’s growing.

A 2009 AMR Research Inc. study found that US companies

were expected to spend $29.8 billion on GRC across

software ($9.2bn), external services ($6.6bn) and internal

efforts ($14.0bn). Risk management followed by

regulatory compliance was sighted as the key driver for

the expenditure.

Europe would be expending around the same level

investment to deal with risks and meet regulatory

requirements. Indeed, just for Solvency II alone, the

Financial Services Authority estimated that UK insurers

would be spending £3bn on implementation alone, over

and above ongoing costs of between £200 million and

£400million annually.

2

Despite the significant level of investment, apart from

pockets of excellence, few financial services firms seem to

have benefited significantly. In a 2012 study, the Chartered

Institute of Internal Auditors (CIIA) found that 60% of fines

levies by FSA in 2011 were down to weaknesses in risk

management systems.

In light of the current economic environment, Boards are

putting significant pressure on risk managers to show

measurable return on investment. No longer can risk

functions justify their existence by simply preventing

losses and ”keeping regulators at bay”.

On a positive front, there is growing evidence that firms

see effective risk management as a means to enhanced

reputation, greater competitiveness and market share.

This does however mean that risk management

organisations need to reassess and realign strategies,

processes and infrastructure to deliver value at reduce

costs, thereby enhancing return on investment.

4

.

The Risk and Compliance Functions are under

significant pressure from various stakeholders,

including the Board, Business Unit Customers,

Insurer’s Customers and Regulators:

1. Transforming to the changing risk and

regulatory landscape. Financial services firms

are having to deal with the “new normal”; new

emerging risks, new scenarios previously

considered implausible (including sovereign

failure), and a constantly evolving regulator (in

UK, for example the creation of PRA and FCA)

and regulation. The Risk & Compliance

Function also has a role to play in winning over

customer confidence in financial services firms.

2. Pressure to add more value. Risk and

Compliance Functions are under significant

pressure to enhance return on investments,

and adding demonstrable value to overall

business performance – or optimizing

Risk/Return to enhance balance sheet

performance. No longer is the Board and the

business content with the Risk Function

keeping the regulators at bay and preventing

down side risk only.

3. Lean Risk & Compliance Functions. As Risk &

Compliance Functions reach maturity,

performance improvement and cost

containment become key priorities, whilst

ensuring value built thus far is not diluted.

These Functions are looking for new ways to

streamline and integrating process, leverage

automation, embed risk management into

business process and explore new sourcing

options to leverage economies of scale.

Risk & Compliance Functions Under Increasing Pressure

4. Coping with Regulatory Tsunami. In

response to the financial crisis, the volume of

regulation and regulatory guidance (including

speeches and announcements) has increased

exponentially. Firms are finding it s great

challenge just to keep on top of regulatory

developments, let alone ensure compliance

5. Awakening to the implication of more

frequent and resource intensive reporting.

Senior management and regulators demand

greater level of reporting to enhance

transparency in the hope that any impending

danger is highlighted early and mitigation

actions taken before risks materialize. Solvency

II for example requires an annual Solvency and

Financial Condition Report (SFCR), quarterly

Returns to Supervisors (RTS), and Own Risk and

Solvency Assessment Reports (internally and to

the regulator), and specific reports on an ad-‐

hoc basis following a material event. The level

and frequency of reporting puts added

pressure on the Risk & Compliance Function.

The changing economic and regulatory landscape

coupled with the internal pressures being places on

the Risk & Compliance Functions, requires them to

transform and adapt to the new normal.

Transformation will follow a journey of continuous

improvement as these Functions evolve into a

critical business enhancing functions that financial

services firms cannot do without.

5

1

1. What does risk management mean to us as a Board?

2. Are we as a Board and collectively as a company effective in identifying,

measuring and managing risks?

3. Do we know what value we get out of our risk management organisation?

What value should we be getting and how does it compare with our peers?

4. Is my Risk Function effective in helping us stay on top of risks?

5. What is my total cost of risk? What is the optimal cost of risk as a percentage

of gross revenue? Where do we stack up against our competitors?

2

6. What are my key risks? How can I be assured that there are no unknown or

ignored risks lurking in my organization?

7. Are we taking the right amount of risks?

8. Are people in our organization risk aware? Do we encourage the right risk

taking behaviours?

9. Is risk management integrated naturally into our business or is the framework

divorced from how risks are actually dealt with at the cold face

10. Are we receiving the right risk information in a timely fashion?

10 Questions Boards should be Asking Themselves

6

Risk Mastery Key Strategies for Risk Transformation

Achieving Risk and Compliance mastery has to be the

prime goal for orgnaisations that want demonstrable

commercial value from their Risk and Compliance

Functions, at reduced cost and with enhanced process

efficiency. For organisations achieving risk mastery, the

benefits could be significant. Some example include:

• Anticipation and proactive management of new

and impending events that could dilute risk

adjusted return on capital, profitability and

reputational value;

• An aggregate risk view highlighting specific areas

where greater risk taking could maximize upside

by stopping unnecessary value leak;

• Controls automatically embedded into the most

detailed level processes greatly minimizing errors

leading to losses, customer redress issues or

regulatory fines; and

• Regulatory developments are automatically

tracked and mapped processes enables quick

planning and execution of regulatory change.

To improve return on investment in risk and compliance

initiatives require:

• Adding more value or achieving more with the

same cost base;

• Adding more value through greater risk taking

and thereby enhancing risk adjusted return on

capital; and

• Reducing the total cost of risk management by

reducing unit cost of the Risk and Compliance

Function, and reducing losses incurred from

known and unknown risks.

Costs and process efficiencies are easier to quantify and

should be the natural starting point, exploiting as many

“low hanging fruits” as possible. Value generated by risk

and compliance is sometimes harder to quantify, although

clear examples will be presented in this paper. Enhancing

value is often a medium term goal achieved over time.

5 Key Strategies are explored to enhance value, improve

process efficiency and reduce costs:

1. Realigning to the new normal and tighten up risk

management

2. Reducing costs

3. Enhancing process efficiency through systems

integration

4. Enhancing value added by the Risk Function

5. Taming the Regulatory Tsunami – proactive

compliance

7

“When you change the way you look at things, the things

you look at change” Wayne Dyer

1

The world is constantly evolving and so are risks and opportunities confronting financial services orgnaisations. Leading ones are nimble, can foresee and understand impact of new emerging risks and re-‐aligning to ensure that priority is given to the right risks and blind spots / unknown risks are avoided. If successfully achieved, this can add significant value. Enron, Lehman, BP, Blackberry and Arthur Andersons are only a few example of how undiscovered or un-‐managed risks can either wipe out an entire organisation (no matter its size) or significantly erode market value (e.g. Blackberry).

The risk landscape is changing. Already as early as 2007, in a study carried out by the Economist Intelligence Unit, (involving a survey of 200 major orgnaisations) participants indicated that risks related to human capital, reputation and regulatory compliance were most threatening, while traditional quantifiable risks, such as financial risk, credit risk and foreign exchange risk as least threatening

In AON’s annual Global Risk Management Survey 2013, (involving more than 1,400 respondents) top risks included economic slowdown/slow recovery, regulatory & legislative Change, and Damage to Reputation and Brand. Counterparty credit risk was ranked 20th and Interest rate fluctuations ranked 31st. AON felt that computer crimes/viruses/malicious hacking (ranked 18th), social media

(ranked 40th) and pension risk funding (ranked 47th) were

potentially underestimated as they all had a potential for significant concern.

Martin Wheatley, Head of Financial Conduct Authority in the UK, in a recent speech stated that they would be focusing on Behavioural Economics, taking consideration of the human element of risk management both on the part of the financial services firm and their customers.

Without the realignment, the organisation is increasingly exposed to new and unmanaged threats, while the opportunity to optimize cost of well-‐managed risks is lost.

2

3 Key Strategies to Aligning Risk Management

1. Get a comprehensive understanding of risks Review the risk universe regularly to unearth unmanaged and unknown risks. Using this same exercise, also identify risks that are well managed. This exercise will help to realign resources, present areas where cost savings can be made, and highlight areas where new capabilities need to be developed. In practice, successfully executing such strategies require a comprehensive and well coordinated approach across all areas and levels of the organisation, supportive information technology, an embedded risk culture and cohesion between functions (breaking down existing silos).

2. New Risks require New Alliances The benefits of Risk and Finance integration are well known and much activity directed at driving efficiencies and synergies between these two areas. New emerging risks around people and reputation require new collaborative activity between the Risk and Compliance Function and Human Resources as well as Corporate Communications, for example. Closer link with the Strategy Department is also paramount given the strategic nature of emerging risks, which if materialized, could shake the very existence of the organisation regardless of size /.

3. Regulatory Engagement UK firms need to develop a new engagement model to respond to the “Twin Peaks” model involving the Financial Conduct Authority (FCA) and Prudential Regulatory Authority (PRA). A proactive and active engagement model will help build the regulator’s trust resulting in a hopefully less intrusive approach. This could lower regulatory risk management costs and minimize disruptions caused by regulatory interventions.

1. Realigning to the “New Normal” and Tightening Up Risk Management Effort

Top 10 Risks 1. Economic Slowdown / Slow Recovery

2. Regulatory / Legislative Change

3. Increasing Competition

4. Damage to Reputation / Brand

5. Failure to attract and retain top talent

6. Failure to innovate / meet customer need

7. Business Interruptions

8. Commodity Price Risk

9. Cash flow / Liquidity Risk

10. Political Risks / Uncertainties

AON Global Risk Management Survey 2013

8

What does risk and management of these risks cost my

organization? Often, a question that most organisations

would find difficult to answer. Measuring this cost would

help to assess return on investment and support efforts to

introduce cost efficiencies. How is cost measured?

Expanding on AON’s concept of Total Cost of Risk (TCOR),

costs can be quantified by adding:

• Cost of loss, including regulatory fines, loss

caused by errors (investment loss or customer

redress for example) and retained risks if they

are insured or hedged -‐ reputational risk and

opportunity costs, although difficult, would be

worthwhile quantifying somehow (even if

estimated);

• Risk mitigation costs (hedging costs and

insurance premiums)

• Internal costs including Risk & Compliance staff

and related infrastructure and other operational

costs (this would include costs across all 3 lines

of defense)

In practice, data limitations and lack of knowhow and skills

are common reasons why firms fail to measure cost of risk.

Significant benefits are available to those firms who are

able to surmount this challenge.

Although it may sound paradoxical, reducing cost can

indeed be achieved whilst improving process efficiency

and driving higher value. Cost reduction is often a catalyst

for performance improvement and efficiency gains.

3 Key Cost Reduction Strategies

1. Reducing losses.

This is a key responsibility of the Risk Function

anyway and TCOR is a great measure of its

effectiveness. Firms will need to get a good handle

on pinpointing areas where losses have occurred and

are likely to occur.

Process, systems and human related losses, as well as

regulatory fines for compliance breeches can be

minimized by embedding, where possible, automated

controls deeply within processes. This could for

example be achieved through a behaviour and rules

based technology engine through which process

would need to pass. If rules are not complied with,

the process is not executed, or flags up an approval

requirement. Such technology is in existence and

worth exploring.

2. Reducing Internal Costs

The obvious choice for most firms is to reduce

headcount. This may well be the most appropriate

strategy, however if executed without careful

planning, it could potentially dilute some of the value

that a Risk and Compliance Function would have built

up within their organisation. Innovative sourcing

models, if implemented effectively, can help to

ensure value retention (and indeed enhancement) at

a reduced cost base.

An example of a sourcing model could involve

transfer of certain Risk and Compliance Function

personnel into a third party service provider. The

deal could initially guarantee an initial level of cost

reduction with the flexibility to flex up or down.

2. Reducing Costs

High Value Support

Knowledge Centre of Excellence

Business Process Outsourcing

9

To ensure value is maximized and operational cost

optimized, we believe a three-‐tier sourcing model is

worth exploring.

Business Process Outsourcing as the base

Routine tasks such as information gathering, collating

reporting figures, producing reports based on defined

templates, are good examples of the type of non-‐core

work that can be outsourced.

Knowledge Centers

For more complex work, knowledge centers staffed

with skilled personnel can be utilized effectively and

could be a source of significant cost reduction.

Examples of work that such centers could deliver

include actuarial and quantitative processes such as

model development, model validation, data

aggregation, pricing, product development support,

etc.

High Value Support

Governance, risk management and compliance can be

a complex business. Chief Risk Officers now need to

be skilled in a multiplicity of very complex areas in

addition to having excellent stakeholder management

skills ensuring full engagement of the Board and

other key stakeholders. Many often would find it

beneficial to get advice and guidance from a

peer/coach. We believe executives would find it

helpful to be able to tap into a pool of highly skilled

and experienced peers to help resolve complex and

strategic problems. Example of areas of support

include: dealing with regulatory enforcement,

reviewing effectiveness of Boards in overseeing and

managing risks, assessing risks of entering new

markets or change in strategic direction, etc. In such

cases, executives want to ensure that they get

support from people who have relevant practical

experience, having actually executed such projects

and strategies, rather than theory based consultants.

3. Reducing cost of Insurance

Case Study: Individual business units within a large

composite insurer were allowed to determine their

own level of reinsurance required to mitigate risks.

The results on a group wide basis was that these

businesses reinsured more than what was optimal

from a risk/reward perspective. Their negotiation

power was also limited given the small scale of each

reinsurance transaction, resulting in higher prices or

reinsurance.

Solution – The Group established a centralized

captive reinsurer and all Life and General Insurance

reinsurance had to be placed via this captive.

Results – On an aggregate basis, the Group could

exploit diversification benefits and retain certain

previously reinsured risks, enhancing return on

economic and regulatory capital. The Group also had

the power to negotiate lower price of reinsurance,

given the level of volumes of business.

High Value Support

Knowledge Centre of Excellence

Business Process Outsourcing

Sourcing or Shared Service model

10

3. Enhancing Operational Efficiencies through Systems Integration

Reporting Case Study

Integrate Systems to Drive Lower Costs & Yield

Commercial Insights

Systems integration as a means to reduce costs is by no

means a new concept. Many firms have however found it

challenging to implement this in practice. A multiplicity of

systems build on different standards often makes it

challenging for data to be transferrable across systems. If

data is indeed transferrable, then data integrity is often

questionable.

Systems integration offers several business benefits:

• If data can be treated equally across different systems,

this open up potential to gain new insights cross

functions (e.g. Risk, Compliance, Finance, HR,

Products, etc.) or cross businesses.

• If regulators adopt such a standard, multijurisdictional

regulatory reporting can easily be centrally processed

with significant operational efficiency and reduced

costs.

• Accuracy of internal and external report would

improve, hence avoiding wrong decision based on

incorrect data or worse, regulatory censure for

incorrect reporting.

• Ability to easily change systems or service provides,

thereby driving competition and reducing cost.

Case Study -‐ Reporting

In the case of financial reporting, XBRL (eXtensible

Business Reporting Language) is an emerging standard

that promises to preserve data integrity across variety of

systems. XBRL is a language for electronic communication

of business and finance data. It provides benefit in the

preparation, analysis, and communication of business

information. It has robustly demonstrated cost savings,

greater efficiency and improved accuracy and reliability.

Regulators are widely adopting and mandating this

standard regulatory reporting. HMRC in UK has already

adopted this standard, so all tax filings are now done

through XBRL. 1 January 2013 was set as the deadline for

banks to use XBRL to send data to their regulator who in

turn send consolidated information to the European

Banking Authority (EBA). EBA has developed XBRL based

taxonomy in the form of COREP and FINREP reporting

standards. Similarly the European Insurance &

Occupational Pensions Authority (EIOPA) is mandating an

XBRL reporting framework for insurers to start reporting

to their regulator from 1 January 2014. XBRL adoption

will continue to accelerate given the benefits it offers.

Market estimates indicate that if implemented skillfully,

and synergies exploited, this new reporting framework

could significantly reduce processing times (up to 70% in in

some cases) and if reporting was done centrally, reduced

costs of reporting for global firms.

11

Baring some exceptions, gone are the days when financial

services firms will incur risk and compliance cost only to

satisfy regulatory requirements or merely deal with down

side risks. The Board and front line business demands

more value from their investment in the Risk Function.

So how can the Risk Function add more value to the

business? We set out 3 ways to greater value creation

1. From Risk Overseers to Risk Advisors

As overseers, the Risk Function has little chance to

add real value. Risk Functions that take a very literal

interpretation of the “2nd line of defence”, will often

be inclined to restrict themselves “wanting to remain

independent”. Business units equally would be

forgiven for viewing the Risk Function as a hindrance.

By becoming true advisors, the Risk Function could,

while maintaining independence, help and guide the

businesses in identifying and managing risks on a day-‐

to-‐day basis, and providing real time assurance to

senior management and other stakeholders. They

could also suggest opportunities for the business to

take more risks through their aggregate risk analysis.

2. Benchmarking – Giving Something Back.

As aggregators of information, the Risk Function is

ideally placed to provide useful analytics back to the

business. This data will allow business units to

benchmark themselves and strive towards improved

performance. This ought to help get greater business

buy-‐in as business is used to getting requests for

information from the business and never expecting

anything back.

3. Early Warning System – a Forward Looking

Approach

Risk is ideally placed to co-‐ordinate comprehensive

scenario analysis and reverse stress testing

exercises to help the organisation become

proactive in anticipating and mitigating risks

before they have the chance to materialize. For

this to become a reality though, the Risk Function

needs tools, capability, an intelligent team and the

bandwidth to anticipate remote and unknown

risks. Intelligent sourcing could yield this outcome

at lower costs.

4. Enhancing Value added by the Risk Function

2nd Line of Defence Analogy

Picture the Titanic sailing on a collision course with an iceberg. The Chief Risk Officer is in the lookout tower and sees what is about to happen.

Taking a pure 2nd line of defence approach, the CRO thinks to himself saying

“Mmmm, I wonder whether the captain will steer the ship to avoid the iceberg. I will watch and see whether he complies with the policies and guidelines. I can’t interfere as I need to maintain my independence.”

The Titanic sinks and the CRO (who happened to survive), reports to tribunal, pointing out the breach of policy and controls – job done.

Conversely, taking a risk advisory approach, the CRO would have shouted out to the Captain saying

“Ahoy there Captain – not my call, but I think you should steer the ship five degrees to the left as an iceberg collision is imminent if you stay on course.”

The Captain responds and steers the ship away from the iceberg. All are saved and the Captain is pleased with the warning given by the CRO.

12

“The trouble with government regulation of the market is that it prohibits capitalistic acts between consenting adults. ” ~ Robert Nozick

5. Taming the Regulatory Tsunami – Proactive compliance

In the wake of the financial crisis, regulators are stepping

up supervisory initiatives and introducing a raft of new

regulation and guidance. According to Reuters, in 2011,

there were 14,215 regulatory announcements -‐ 60 per day

on average. The announcements can include anything

from speeches to final binding rules.

Ironically, the very regulations aimed at preventing

another financial crisis are now featured in second position

in the top 10 global risks in AON’s Global Risk Management

Survey 2013. Although willing, firms are naturally

struggling to comply:

• The volume of regulatory change significantly

increases the chances of regulatory breeches

that could result in regulatory censure

(including fines) and possible reputational

damage. The ever-‐changing rules makes it

extremely challenging for front line customer

facing personnel to consistently comply –

mistakes are inevitable.

• The cost of compliance significantly increases

under the current regulatory landscape as firms

are having to skill up by recruiting more

compliance professionals and solicit help from

external third parties.

The “Twin Peaks” approach to regulation in the UK adds

further complexity and potential cost as now financial

services firms face two regulators, the Prudential

Regulatory Authority (PRA) and Financial Conduct

Authority (FCA) with different regulatory approaches.

How are leading firms dealing with Regulatory Tsunami?

Leading firms are taking a proactive stance by

leveraging the power of information technology.

Although early days, compliance solutions emerging

demonstrate the following attractive features:

• A comprehensive library of continually

updated regulation and guidance. The library

incorporates robust ontology allowing

searchability and inter-‐linkages between

regulations.

• Powerful analytic systems to analyse and

measure compliance on a real time basis. The

system uses existing data, its rules and

behaviours and information from experts.

• Detailed end-‐to-‐end processed mapped to

specific regulatory line item, allowing for

workflow development that helps to capture

evidence based documentation and key risk

and performance metrics.

Key benefits of a systems based approach include:

• Real time compliance monitoring, that

prevents breeches of regulatory rules or

internal policies and acts as early warning

system of impending breeches

• An early warning system allowing firms to

anticipate potential regulatory breeches.

• Documentary evidence tagged to regulation,

allowing for enhanced compliance monitoring

and regulatory interactions.

13

What are the Next Steps

This paper merely explores some ideas of ways in which

the Risk and Compliance Function could transform to yield

higher value at reduced costs and with improved process

efficiency.

Clearly they may well not be appropriate or relevant for

your particular needs, hopefully though, these ideas would

have stimulated thinking of the possibilities open to

organisation and their associated benefits.

Continuous improvement should be an ongoing journey

for any organisation and Risk and Compliance is by no

means an exception. Regular self assessment and

resulting programme of improvement will help ensure that

Risk and Compliance Function remain relevant and are

structured to add value rather than be a cost burden to

firms.

The transformation journey could start out with a

comprehensive diagnostic exercise informing on the

current state, including the assessment of perceived value

added, quantification of total costs and understanding

components of TCOR, and mapping current process.

The information gathered from the diagnostic phase could

be benchmarked against the more sophisticated

competitors (i.e. best practice) and regulatory

expectations.

If sufficient gaps are identified, the transformation journey

should begin with a clear picture of the end state,

quantifying at a detailed level, the desired outcomes, for

example

• internal costs reduced by 25%

• Losses reduced by 10%

• Reduction in error rates by 60%

• Reducing reporting times by two weeks,

• etc

The gaps resulting from the diagnostic phase would help

to inform a detailed implementation plan. Stakeholder

engagement is key to designing and executing the plan.

Relevant third party partners or service providers could

support execution.

Vedanvi Ltd

For more information contact:

Jay Tikam

Tel: +44 (0) 203 102 6750

Mob: +44 (0) 778 551 8471

Email: [email protected]

45 King William Street

London, EC4R 9AN

BUSINESS & RISK CONSULTING